Bug 858228 - Validate empty host subject from qemu exactly like when no explicit host subject is specified
Summary: Validate empty host subject from qemu exactly like when no explicit host subj...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk
Version: 6.3
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: beta
: ---
Assignee: Marc-Andre Lureau
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-18 11:19 UTC by David Jaša
Modified: 2013-02-21 08:49 UTC (History)
6 users (show)

Fixed In Version: spice-gtk-0.14-5.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:49:06 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0343 0 normal SHIPPED_LIVE spice-gtk bug fix and enhancement update 2013-02-20 20:53:54 UTC

Description David Jaša 2012-09-18 11:19:40 UTC
Description of problem:
Validate empty host subject from qemu exactly like when no explicit host subject is specified

Version-Release number of selected component (if applicable):
spice-gtk-0.13.29-3.el6.x86_64

How reproducible:
always

Steps to Reproduce:
0, commont to both: generate CA and server certs to that CN= field in server cert subject matches your machine hostname (e.g Subject: O=rh,CN=my-laptop.example.com)

A: plain connection:
1. run qemu:
qemu-kvm -spice tls-port=SPORT,x509_dir=DIR,disable-ticketing
2. connect to the qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT

B: migration
1. run source qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT1,x509_dir=DIR,disable-ticketing
2. run destination qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT2,x509_dir=DIR,disable-ticketing
3. connect to the source qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT1
4. instruct source qemu to migrate the client without specifying host subject:
__com.redhat_spice_migrate_info my-laptop.example.com 0 SPORT2
  
Actual results:
A: r-v connects successfully because my-laptop.example.com FQDN matches CN in the certificate

B: r-v won't connect to the destination qemu with error:
(/usr/bin/remote-viewer:21596): Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed

Expected results:
A: the same
B: r-v should treat empty host subject as no host subject and verify CN= from Subject field with hostname

Additional info:

Comment 2 Marc-Andre Lureau 2012-10-18 17:42:45 UTC
patch sent to ML

Comment 3 Marc-Andre Lureau 2012-12-10 13:00:50 UTC
in spice-gtk-0.14-5.el6

Comment 7 errata-xmlrpc 2013-02-21 08:49:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0343.html


Note You need to log in before you can comment on or make changes to this bug.